feat(generated)!: regenerate from spec (9 changes)

[workos-sdk-automation]

Summary

feat(user_management): Remove return_to param from revoke session

• Removed UserManagementRevokeSessionOptions.ReturnTo property
• Updated API to no longer accept return_to parameter when revoking sessions

feat(radar): Remove domain_sign_up_rate_limit control

• Removed RadarStandaloneResponseControl.DomainSignUpRateLimit enum value
• This control is no longer available for radar standalone response configuration

feat(vault): Replace Object with VaultObject

• Removed Object class from vault service
• Replaced with VaultObject class in VaultService.GetNameAsync() and VaultService.GetKvAsync() return types
• Updated test fixtures to use vault_object.json

feat(webhooks): Remove dsync.deactivated event

• Removed DsyncDeactivated event class
• Removed DsyncDeactivatedData and DsyncDeactivatedDataDomain event payload classes
• Removed enum types DsyncDeactivatedDataType and DsyncDeactivatedDataState

feat(api_keys): Make expires_at required in API key created/revoked events

• ApiKeyCreatedData.expires_at field is now required (previously optional)
• ApiKeyRevokedData.expires_at field is now required (previously optional)
• This is a breaking change for event handlers depending on nullable expires_at

feat(api_keys): Add expire endpoint and API key updated event

• Added ApiKeysService.CreateExpireAsync() method to expire API keys
• Added ApiKeysCreateExpireOptions request options class with optional ExpiresAt parameter
• Added ApiKeyUpdated event class and ApiKeyUpdatedData event payload
• Added ApiKeyUpdatedDataPreviousAttribute to track previous expires_at value
• New webhook event type: api_key.updated

feat(webhooks): Add dsync token created/revoked events

• Added DsyncTokenCreated event class and DsyncTokenCreatedData event payload
• Added DsyncTokenRevoked event class (reuses DsyncTokenCreatedData payload)
• New webhook event types: dsync.token.created and dsync.token.revoked

feat(user_management): Add name field to user models

• Added name field to User class
• Added name field to UserObject class
• Added name parameter to CreateUserOptions and UpdateUserOptions
• Added name field to EmailChangeConfirmationUser
• Added documentation clarifying session ID vs return_to parameters

feat(webhooks): Add Snowflake log stream type

• Added Snowflake enum value to AuditLogConfigurationLogStreamType
• Added API_KEY_UPDATED and api_key.updated webhook event types

Triggered by workos/openapi-spec@dee95fc

BEGIN_COMMIT_OVERRIDE
feat(user_management): Remove return_to param from revoke session (#263)
feat(radar): Remove domain_sign_up_rate_limit control (#263)
feat(vault): Replace Object with VaultObject (#263)
feat(webhooks): Remove dsync.deactivated event (#263)
feat(api_keys): Make expires_at required in API key created/revoked events (#263)
feat(api_keys): Add expire endpoint and API key updated event (#263)
feat(webhooks): Add dsync token created/revoked events (#263)
feat(user_management): Add name field to user models (#263)
feat(webhooks): Add Snowflake log stream type (#263)
END_COMMIT_OVERRIDE

[greptile-apps]

Greptile Summary

This is an auto-generated spec-sync PR adding 9 feature changes: new webhook event types (api_key.updated, dsync.token.created, dsync.token.revoked), a new /api_keys/{id}/expire endpoint, name fields on User models, Snowflake log stream type, and removal of deprecated fields (ReturnTo from revoke-session, DomainSignUpRateLimit, dsync.deactivated).

• API Keys: CreateExpireAsync added to ApiKeysService; ApiKeyUpdated event class and ApiKeyUpdatedDataPreviousAttribute added with a new discriminator converter for the owner union type.
• Vault: GetNameAsync/GetKvAsync return type changed from the deleted Object class to the pre-existing VaultObject; the JSON structure returned by those endpoints (metadata nested under a metadata key) does not match VaultObject's flat [JsonProperty] mappings, so metadata fields will silently deserialise as null.
• User Management / Webhooks / Enums: name field added to User, UserObject, CreateUserOptions, UpdateUserOptions; dsync.token.* events, Snowflake stream type, and webhook enum values added cleanly.

Confidence Score: 3/5

The Vault Get methods now return a type that cannot deserialise the nested metadata fields from the actual API response, causing silent data loss for any caller reading EnvironmentId, KeyId, VersionId, or UpdatedBy after a GetNameAsync/GetKvAsync call.

Most of the PR is a clean, well-patterned spec sync. The concern is in the Vault service: replacing Object (which had a proper ObjectMetadata property) with VaultObject (which maps metadata fields at the JSON root) against a response shape that nests those fields under metadata. The tests cover only Id, Name, Value and do not catch the metadata loss.

src/WorkOS.net/Services/Vault/VaultService.cs and src/WorkOS.net/Entities/VaultObject.cs — confirm whether the Get endpoint response nests metadata or returns flat fields, and update the mapping accordingly.

Important Files Changed

Filename	Overview
src/WorkOS.net/Services/Vault/VaultService.cs	Changed GetNameAsync/GetKvAsync return type from Object to VaultObject; however VaultObject maps metadata fields at root JSON level while the API response nests them under a metadata key, causing silent data loss.
src/WorkOS.net/Client/Utilities/EventSchemaDiscriminatorConverter.cs	Added api_key.updated, dsync.token.created, dsync.token.revoked discriminator cases; the two dsync.token.* entries are placed out of alphabetical order within the switch.
src/WorkOS.net/Client/Utilities/ApiKeyUpdatedDataOwnerDiscriminatorConverter.cs	New discriminator converter for ApiKeyUpdatedData.Owner; correctly reuses ApiKeyCreatedDataOwner and UserApiKeyCreatedDataOwner types, matching the pattern of ApiKeyCreatedDataOwnerDiscriminatorConverter.
src/WorkOS.net/Entities/ApiKeyUpdatedData.cs	New event payload class for api_key.updated; mirrors ApiKeyCreatedData structure and adds PreviousAttributes field for tracking prior expires_at.
src/WorkOS.net/Services/ApiKeys/ApiKeysService.cs	Added CreateExpireAsync method posting to /api_keys/{id}/expire; follows established async+sync-wrapper pattern used by all other methods.
src/WorkOS.net/Entities/DsyncTokenRevoked.cs	New event class for dsync.token.revoked; intentionally reuses DsyncTokenCreatedData payload type per spec (same shape for both events).
test/WorkOSTests/Tests/ApiKeysServiceTest.cs	Added TestCreateExpireAsync test using api_key.json fixture; the newly added expire_api_key.json and expire_api_key_nulls.json fixtures go untested.
src/WorkOS.net/Entities/User.cs	Added nullable Name property (full name); consistent with parallel addition in UserObject.cs and CreateUserOptions/UpdateUserOptions.
src/WorkOS.net/Services/UserManagement/_interfaces/UserManagementOptions.cs	Removed ReturnTo from UserManagementRevokeSessionOptions and added Name to CreateUserOptions/UpdateUserOptions; doc comments updated for GetLogoutUrlOptions.

Comments Outside Diff (1)

1. src/WorkOS.net/Services/Vault/VaultService.cs, line 149-184 (link)

   VaultObject metadata fields will always be null for Get responses

   VaultObject maps EnvironmentId, KeyId, VersionId, UpdatedAt, and UpdatedBy using [JsonProperty] attributes that expect those fields at the root JSON level. However, the new vault_object.json fixture (the expected API shape for GetNameAsync/GetKvAsync) places all those values inside a nested metadata object. As a result every caller that reads result.EnvironmentId, result.KeyId, etc. after calling GetNameAsync or GetKvAsync will silently get null. The deleted Object class explicitly had an ObjectMetadata Metadata property that correctly modelled this nested structure; the replacement loses that data.

_{Reviews (1): Last reviewed commit: "chore(generated): add release notes frag..." | Re-trigger Greptile}

[greptile-apps]

Out-of-order dsync.token entries

The two new dsync.token.* cases are inserted between dsync.group.updated and dsync.group.user_added, but alphabetically dsync.token.* sorts after dsync.user.*. An api_key.updated case was also added correctly in the already-sorted api_key.* block. For consistency with the rest of the switch (which appears to be lexicographically ordered), the new dsync.token.created and dsync.token.revoked cases should be placed after dsync.user.updated.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Test uses api_key.json instead of the newly added expire_api_key.json

TestCreateExpireAsync loads testdata/api_key.json as its mock response, but this PR also adds testdata/expire_api_key.json and testdata/expire_api_key_nulls.json. If those fixtures represent the actual /expire endpoint response shape ({"expires_at": "..."}) they are never exercised. If the real endpoint returns a full ApiKey object then the added fixtures are dead files. Either the test should use expire_api_key.json, or the unused fixtures should be removed.